Upload
aruba-networks-an-hp-company
View
996
Download
0
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!1!
Access Management ClearPass Access Management Basics
Derin Mellor 5th June 2013
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Network Manager’s Desires!
• Control who can access what, where and when • Wired Lockdown • Profile connecting devices
• MAC spoofing prevention • Simple Guest access • Seamless BYOD • Posture compliance
• NAP, Persistent, Dissolvable • TACACS • Network audit
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
CPPM Operation!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Service Processing!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Services Match!Processed top down – first match!If no match: Reject!
Disabled!
Matched on RADIUS parameters – first packet!
NOTE: EAP type exchanged later RADIUS dialogue!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Simple Corporate Service!
To differentiate between a Machine and User authentication
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Corporate 802.1X Authentication!
Assign appropriate role!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Define Basic Wired 802.1XCorporate Service!
Use generic 802.1X Wired template
Service: Match these RADIUS attributes
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Define Basic Wired 802.1XCorporate Authentication!
Allows known (Endpoint Repository) and unknown MAC addresses!
PEAP Inner EAP methods MSCHAP, TLS, GTC!
If in [ ] can’t be edited!
TLS details!!!!!!!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Define Basic Wired 802.1XCorporate Enforcement Policy!
NOTE: Roles are not being used!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Testing!
Instant! Instant!
Machine Login! User Login!
Machine power-on
User Login
User Logoff
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Guest Access!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Guest Login Sequence!Client NAS CPPM Server
1 Unknown PC connects!
Learns MAC!
MAB Service: Verifies MAC!Device=Unknown!
Assigns role with HTTP !Redirect to CPPM!
2 User Browses!HTTP www.any.com!HTTPS Redir !
to CPPM/guest!
Presents Guest portal!3 User Login!HTTPS Post MAC/User/IP!
PreAuth Service: Checks credentials!HTTPS !Redirect to NAS!
HTTPS CPPM/guest!
Converts to RADIUS Auth!HTTPS Post MAC/User/IP!
Guest Service: Checks credentials!Device:=Known!
RADIUS Req User!
RADIUS Accept !Guest Reg Role!
DHCP Req!
RADIUS Req MAB!
Assigns Guest role!RADIUS Accept!
Guest Role!4 User on as Guest !
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Guest Services!
• Three Guest services 1 Guest/Device who have already logged in
• Known: MAC Caching • Unknown: Guest Registration portal
2 PreAuthentication check: Verifies user credentials • Correct: HTTP Post redirect • Incorrect: Provides suitable portal page
3 Guest Registration • RADIUS Request from NAS
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
MAC Caching - 1!
MAC Authentication!RADIUS Request from NAS!
MAC Authentication”!RADIUS CallingStationID = RADIUS UserName!
Allow known and unknown MAC addresses!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
MAC Caching - 2!
Unknown device: Guest Reg portal!
MAC Spoof!
Guest MAC cache!
Contractor MAC cache!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
PreAuth Check!
This service checks the HTTP Post user credentials. If correct redirect HTTP Post to NAS. If credentials are in correct sends back suitable error !
Just a RADIUS Allow: Does not cause HTTP Post redirect!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Guest Registration - 1!
RADIUS Request from NAS!Basic RADIUS
Authentication!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Guest Registration - 2!
Guest Session Timeout!Guest Bandwidth Limit!Guest Session Limit – number of allowed devices!Guest MAC Caching – cache device![Update Endpoint Known] – make device known in CPPM’s Endpoint repository!Aruba Guest WiFi profile – assign VLAN!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
CPG Configuration!
Enable PreAuth check!
Record MAC address in CPPM!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
• Account creation • Receptionist, Bulk (Conference),
Sponsored, Self-service • Infrastructure redirects to guest portal
• Simple registration process • Receipt
• Sponsor confirmation • Guest notification
• Web portal, email, SMS • Totally customizable
Guest Access!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Controlling Guests!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Profiling Devicesand
MAC Spoof Prevention!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Profile Network Devices!• Most Common Mechanisms
• Relay DHCP Requests to CPPM • Login at Guest portal
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
MAC Spoof Detection!• Original DHCP Request recorded as genuine
• DHCP Fingerprint = MAC+Hostname+ DHCP Option fields
• MAC Spoof Attack: Attempt to get enhanced privileges • Set PC to another device’s MAC
• Subsequent DHCP Requests compared with original • If different CPPM generates a “Conflict”
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
BYOD!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Enrollment and Provisioning Workflow
Active Directory!Access Network!
ClearPass Policy Manager!
1. Authorize BYOD
enrollment based on AD credentials!
2. Register device type &
ownership!
Provision device private key and
certificate for that user & device!
3. +!
Revoke certificate (and access) for
devices that are lost, stolen or expire!
5. Limited
Access Zone!
4.
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Onboard iOS! BYOD - 1!
Install CPPM’s certificate on device
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Login
BYOD - 2!
Device uses Profile’s certificates to automatically connects to the
secured SSID using TLS
Device creates private key and pushes CSR to CPPM
CPPM’s CA creates the Cert this is pushed to the device
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
CPPM Certificate Authority!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Posture Compliance!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Posture Compliance Options!
• Proactive v Report only • Agents
• Microsoft NAP • Supported from XP SP4 upwards • Not supported on MAC OSX
• Persistent Agent • Continually scans • Communicates with CPPM on
• Pulls policy on HTTPS • Maintains connectivity status in CPPM (TCP6658)
• Must be installed as a Administrator • Dissolvable Agent
• User browses to CPPM captive portal • Runs once
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Typical Scans!
• OS version/Service packs/Patches • Firewall running • Non/Running service/application • AntiVirus/AntiSpyware operational with up to date
signatures and recently run • Bridging disabled • Prevent second interface connection
• Split tunneling • Patch management system
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Posture Compliance!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Posture Compliance!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Look at Posture Events - 2!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Reports!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Insight Reports!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Licensing!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
CPPM Sizing!
Devices (unique MAC addresses) per 24 hours!Size ! !Name! ! ! !MAC ! ! !Profiled!! ! ! ! ! ! ! !addresses !devices!
Small ! !CP-SW-500 ! !500 ! ! !2000!Med ! !CP-SW-5K ! !5000 ! ! !20K!Large ! !CP-SW-25K ! !25K ! ! !100K!!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
License Usage!
Guest! ! !Number of guest devices that are connected !! ! ! !over a 24 hour period!
BYOD! ! !Total number of Onboarded devices!OnGuard ! !Total number of OnGuard devices (per week)!Enterprise !Can be any of above!!Averaged over 7 day period!If the Average exceed the license count !Warning in the WebUI!
If exceeds license count for 4 out of 6 months: !WebUI is locked!!System will continue authenticating users!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!
Simple Designs!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
Resilient Guest!
NOTES:!Safely scales to 25K devices!Cluster Traffic: HTTPS, SQL (TCP port 5432) and VIP (TCP port 224.0.0.18)!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!
MPLS
Large NAC CPPM!
A2 CPPM-25K Subscriber
Data Centre -‐ A Data Centre -‐ B
Remote Sites
NAS RADIUS PriA/BckB
NAS RADIUS PriA/BckB
A3 CPPM-25K Subscriber
A4 CPPM-25K Subscriber
B2 CPPM25K Subscriber
B3 CPPM-25K Subscriber
B4 CPPM-25K Subscriber
RTR AD AD
A1 CPPM-25K Publisher
B1 CPPM25K Desig-Pub
NOTES:!Safely scales to 75K devices!Pub and Desig-Pub dedicated to mgnt & log!Cluster Traffic: HTTPS, !
!SQL (TCP port 5432)!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!45!
Q & A!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!46!
Thank You!
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!47!